Forum Discussion
Best practice for Global Admin account and how to transition my own account
Service side, no credentials are stored. AAD Connect also doesn't store the GA credentials, it uses its own account. The common scenarios are storing credentials in PowerShell scripts/scheduled tasks and similar.
In general, once you create the new account, you can query the Azure AD audit logs for any logon activity from the old one, which should give you an idea if/where it's still used.
The best practice is using separate accounts, as it minimizes the chances you will expose the credentials for the privileged account (un)intentially. But protecting it with MFA is a good middle ground.
Service side, no credentials are stored. AAD Connect also doesn't store the GA credentials, it uses its own account. The common scenarios are storing credentials in PowerShell scripts/scheduled tasks and similar.
In general, once you create the new account, you can query the Azure AD audit logs for any logon activity from the old one, which should give you an idea if/where it's still used.
The best practice is using separate accounts, as it minimizes the chances you will expose the credentials for the privileged account (un)intentially. But protecting it with MFA is a good middle ground.
- Thanks for the response. This should be just what I needed. I haven't done much work with the audit log yet so this will be a good chance.
